Secrecy and user trust

Travis Arnold vestwearingpunk at gmail.com
Tue Sep 2 20:52:08 UTC 2008


John Aldrich wrote:
> Quoting Bill Davidsen <davidsen at tmr.com>:
>>
>> As noted, the detail I would have liked was to know if this was a
>> failure of system security or a failure of misplaced trust. If there is
>> a hole in their server system security it's likely to be in ours as
>> well.
>>
>> And if someone could say with certainty that packages downloaded before
>> {date} were safe, it would be more reassuring than "there is little
>> risk to Fedora users who wish to install or upgrade signed Fedora
>> packages." If the start date of the problem is known, that would be
>> really good information for people who keep a local repository and
>> don't have to upgrade every new install totally over the network.
>>
> Well, I know someone on this list said I should feel safe in upgrading
> my F6 box to F9. I don't know if that answers your questions or not.
> That being said, I think I'll wait until F10 or until fresh ISO images
> come out. Despite the fact that my only installation is a single,
> personal box, I don't want to risk getting hacked because someone *may*
> have gotten some bogus packages into the system and/or compromised the
> signing key for Fedora.
> 
> Unless/until someone from Fedora says "It is safe to install Fedora 9
> from the original ISO images distributed when F9 was released" I am not
> going to trust that they are safe.
> 
Hey I am currently downloading the ISO dvd to install after I finish my
day's lessons, is this not a good idea to do?

Travis




More information about the fedora-list mailing list